Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 17:52
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Heur.1516.25525.xls
Resource
win7v20210410
General
-
Target
SecuriteInfo.com.Heur.1516.25525.xls
-
Size
274KB
-
MD5
86bcd1dbc5f256c0cd0ef95d57821946
-
SHA1
6b7e3f13faafed23d1460ae25a2caef46a5ad8ae
-
SHA256
bd7729979ce89a15f5a8195fa33f17c5fc59d5636f3294ef8f397decd6f05c79
-
SHA512
660d524c08eee362d88920671f4adacb42278c7dcc749cd82b8d59cbfb8862fce3411e71a2388b73d150d91f7d9436a7d2e6fe0f39fd83eedc049804fbc60051
Malware Config
Extracted
trickbot
2000029
net10
103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3864 3560 rundll32.exe EXCEL.EXE -
Templ.dll packer 1 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral2/memory/1520-183-0x0000000004460000-0x0000000004686000-memory.dmp templ_dll -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1520 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3768 1520 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3560 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe 3768 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exewermgr.exedescription pid process Token: SeRestorePrivilege 3768 WerFault.exe Token: SeBackupPrivilege 3768 WerFault.exe Token: SeDebugPrivilege 3768 WerFault.exe Token: SeDebugPrivilege 1676 wermgr.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
EXCEL.EXEpid process 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE 3560 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exedescription pid process target process PID 3560 wrote to memory of 3864 3560 EXCEL.EXE rundll32.exe PID 3560 wrote to memory of 3864 3560 EXCEL.EXE rundll32.exe PID 3864 wrote to memory of 1520 3864 rundll32.exe rundll32.exe PID 3864 wrote to memory of 1520 3864 rundll32.exe rundll32.exe PID 3864 wrote to memory of 1520 3864 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1676 1520 rundll32.exe wermgr.exe PID 1520 wrote to memory of 1676 1520 rundll32.exe wermgr.exe PID 1520 wrote to memory of 1676 1520 rundll32.exe wermgr.exe PID 1520 wrote to memory of 1676 1520 rundll32.exe wermgr.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.1516.25525.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\iofjgjfldnd.hde,StartW2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\rundll32.exerundll32 ..\iofjgjfldnd.hde,StartW3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 6644⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\iofjgjfldnd.hdeMD5
37062b08a85b8fe69f95a2c4f33fae05
SHA1a4199f5dd132fdbf4868e4e4fdfabf996d2dc319
SHA256b4ec0c58110e3b4b7e6ba76b5d5fc2eff7578763328daaadf39df270510fa7b8
SHA51248f07db9c62d586c381b7ff6120880db893c8133f0e8faa63982dd3cdbf8a78d9d2e5d4ff6a9afab859cebdb8dfbaf89fb5ff6f1baeb7f79a0971b1f5a522996
-
\Users\Admin\iofjgjfldnd.hdeMD5
37062b08a85b8fe69f95a2c4f33fae05
SHA1a4199f5dd132fdbf4868e4e4fdfabf996d2dc319
SHA256b4ec0c58110e3b4b7e6ba76b5d5fc2eff7578763328daaadf39df270510fa7b8
SHA51248f07db9c62d586c381b7ff6120880db893c8133f0e8faa63982dd3cdbf8a78d9d2e5d4ff6a9afab859cebdb8dfbaf89fb5ff6f1baeb7f79a0971b1f5a522996
-
memory/1520-181-0x0000000000000000-mapping.dmp
-
memory/1520-187-0x0000000010001000-0x0000000010003000-memory.dmpFilesize
8KB
-
memory/1520-185-0x0000000000C60000-0x0000000000CA3000-memory.dmpFilesize
268KB
-
memory/1520-186-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/1520-183-0x0000000004460000-0x0000000004686000-memory.dmpFilesize
2.1MB
-
memory/1676-189-0x0000022E7BC60000-0x0000022E7BC61000-memory.dmpFilesize
4KB
-
memory/1676-188-0x0000022E7BC20000-0x0000022E7BC48000-memory.dmpFilesize
160KB
-
memory/1676-184-0x0000000000000000-mapping.dmp
-
memory/3560-118-0x00007FF8CDBE0000-0x00007FF8CDBF0000-memory.dmpFilesize
64KB
-
memory/3560-123-0x000002343CC50000-0x000002343EB45000-memory.dmpFilesize
31.0MB
-
memory/3560-121-0x00007FF8EE870000-0x00007FF8EF95E000-memory.dmpFilesize
16.9MB
-
memory/3560-122-0x00007FF8CDBE0000-0x00007FF8CDBF0000-memory.dmpFilesize
64KB
-
memory/3560-114-0x00007FF611670000-0x00007FF614C26000-memory.dmpFilesize
53.7MB
-
memory/3560-117-0x00007FF8CDBE0000-0x00007FF8CDBF0000-memory.dmpFilesize
64KB
-
memory/3560-116-0x00007FF8CDBE0000-0x00007FF8CDBF0000-memory.dmpFilesize
64KB
-
memory/3560-115-0x00007FF8CDBE0000-0x00007FF8CDBF0000-memory.dmpFilesize
64KB
-
memory/3864-179-0x0000000000000000-mapping.dmp